CN105450459B - A kind of system message processing method and collector - Google Patents
A kind of system message processing method and collector Download PDFInfo
- Publication number
- CN105450459B CN105450459B CN201511023137.XA CN201511023137A CN105450459B CN 105450459 B CN105450459 B CN 105450459B CN 201511023137 A CN201511023137 A CN 201511023137A CN 105450459 B CN105450459 B CN 105450459B
- Authority
- CN
- China
- Prior art keywords
- message
- normalization
- event
- collector
- system message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/562—Brokering proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
Abstract
The present invention provides a kind of system message processing method, applied in the system message processing system including sensor and collector, one collector is connect with sensor described at least one, the system message sent including collector receiving sensor, collector is matched by the system message and with what is prestored with the one-to-one rule file of the sensor, matched system message is normalized collector, it generates and normalizes message correspondingly with the system message, collector exports the normalization message.System message transmitted by distinct device in local area network can be normalized by the present invention, data be provided for analysis and data mining, convenient for the unified management and monitoring of LAN system message.
Description
Technical field
The present invention relates to field of computer technology, and in particular to a kind of system message processing method and collector.
Background technique
In today of computer technology high speed development, enterprises and institutions' ubiquitous deployment of all trades and professions has local area network, composition
The hardware device of local area network includes interchanger, and router, firewall, server etc., the management to these equipment is local area network
Essential component part in Centralized Monitoring and management.
Each equipment in local area network can generate and send system message, and system message is responsible for recording in an equipment
Any event, the operating condition of executive condition and hardware including operation program and system software, by appropriately configured,
To realize communication and centralized management between the various equipment for sending system message, and by analyzing these system messages, tracking
The situation related with the working order of equipment in grasp local area network and local area network overall network.
But since the device category of composition local area network is various, model is changeable, and due to the difference of manufacturer, respectively follows
The company standard of different manufacturers, even if the same type equipment that the system message of a similar events is produced via different manufacturers
It issues and entirely different, the system message inside a local area network is expressed from coding method, the sentence of event, event level
Not Ding Yi etc. various aspects it is multifarious, how fundamentally the format of integrated system message manages the system message in local area network,
The Centralized Monitoring management for realizing all devices in local area network, is computer field urgent problem to be solved.
Summary of the invention
The technical problem to be solved by the present invention is to provide a kind of system for the drawbacks described above in the presence of the prior art
Message treatment method and collector, to solve the Centralized Monitoring of all system messages inside local area network existing in the prior art
And problem of management.
To achieve the above object, the present invention provides a kind of system message processing method, is applied to include sensor and collection
In the system message processing system of device, one collector is connect with sensor described at least one, comprising:
The system message that collector receiving sensor is sent,
Collector is matched by the system message and with what is prestored with the one-to-one rule file of the sensor,
The rule file includes at least one rule entries, and the rule entries are between system message and corresponding processing rule
Corresponding relationship,
Matched system message is normalized collector, generates and the one-to-one normalizing of the system message
Change message, the normalization message is the file with unified normalization attribute,
Collector exports the normalization message.
Specifically, the normalization attribute, specifically includes what collector directly extracted in the system message of successful match
The backfill attribute that attribute and collector are backfilled according to the system message of the successful match is extracted, the system message is
The customized logout message that sensor is generated according to different system events, the extraction attribute includes: account number, source
IP, source port, destination IP, destination port, protocol type, Time To Event, event end time, event frequency, thing
Part abstract, the website of access, the DNS of access, shaping reserved property, character string type reserved property,
The backfill attribute includes: normalization event level, Customer ID, customized event ID, customized event type, biography
Sensor ID, sensor IP, sensor mask, sensor type, Collector ID, collector IP, system message receiving time are original
Log.
Specifically, the normalization event level, specifically includes customized thing in the system message according to successful match
Part type and preset normalization event level corresponding relationship determine normalization event level, the preset normalization event
Rank corresponding relationship, between the customized event type in the system message of successful match and normalization event level one by one
Corresponding relationship.
Preferably, after the system message that collector receiving sensor is sent, system message that collector will receive
Before being matched with the one-to-one rule file of the sensor, the method also includes collectors will be with different words
The system message of symbol coding mode is converted to the system message with unified character code mode.
Preferably, the system message that receives when collector with prestore and the one-to-one rule file of the sensor
When mismatch, collector matches the system message received rule file corresponding with the other sensors prestored.
Preferably, the system message of successful match is generated in collector and is normalized correspondingly with the system message
After message, the method also includes collectors will have at least one normalization property content identical in preset time range
Multiple normalization message coalescings, generate and merge message, the mergings message is and normalization message is with unified normalization
The logout of attribute, the collector export the normalization message, specifically include collector and export the normalization message
With merging message.
Specifically, the collector closes the identical multiple normalization message of content at least one normalization attribute
And merging message is generated, specifically including at least one described normalization attribute includes customized event ID, sensor type, sensing
Device IP, source IP and destination IP, the generation merging message that merges includes the thing in the first normalization message that will be merged
Part time of origin is determined as merging the Time To Event in message, by the thing in the last one the normalization message merged
The part end time is determined as merging the event end time in message, the event in all normalization message of merging is occurred secondary
Number is added obtained sum and is determined as merging the event frequency in message.
System message processing method provided by the invention can press system message transmitted by distinct device in local area network
It is matched according to the processing rule set, further normalized is carried out if successful match, collector passes through
Extract corresponding attribute in original system according to the attribute of unified normalization message, and according to normalization attribute definition into
Row backfill, generates and normalizes message correspondingly with system message, the normalization message exported by collector, local
Net can manage all system messages.Method provided by the invention further includes character conversion and merges, the character conversion
The step of make the system message of kinds of characters coded format carried out before carrying out rule match unification, be convenient for subsequent rule
Matching and normalized, the merging are that the message coalescing for generating the similar events within the scope of certain time reports, and are saved
While Internet resources, it is more convenient for finding the problem.
The present invention also provides a kind of collectors, comprising:
Receiving module, for receiving sensor send system message,
Matching module, for by the system message and with prestore with the sensor one-to-one rule file into
Row matching, the rule file include at least one rule entries, and the rule entries are that system message is advised with corresponding processing
Corresponding relationship between then,
Module is normalized, for matched system message to be normalized, is generated with the system message one by one
Corresponding normalization message, the normalization message are the file with unified normalization attribute,
Output module, for exporting the normalization message.
Specifically, the matching module is specifically used for the extraction attribute directly extracted in the system message of successful match,
The backfill attribute backfilled with collector according to the system message of the successful match, the system message be sensor according to
The customized logout message that different system events generates, the extraction attribute includes: account number, source IP, source port, mesh
IP, destination port, protocol type, Time To Event, event end time, event frequency, event summary, access
Website, the DNS of access, shaping reserved property, character string type reserved property, the backfill attribute includes: normalization event level
Not, Customer ID, customized event ID, customized event type, sensor ID, sensor IP, sensor mask, sensor class
Type, Collector ID, collector IP, system message receiving time, original log.
Specifically, the matching module be specifically used for according to event type customized in the system message of successful match and
Preset normalization event level corresponding relationship determines that normalization event level, the preset normalization event level are corresponding
Relationship is closed correspondingly between the customized event type in the system message of successful match and normalization event level
System.
It preferably, further include coding unified modules, for that will have the conversion of the system message of different character code modes
For the system message with unified character code mode.
Preferably, the matching module is specifically used for the system message received when collector and prestoring with the sensing
When the one-to-one rule file of device mismatches, collector is corresponding with the other sensors prestored by the system message received
Rule file is matched.
It preferably, further include merging module, for that will have at least one normalization attribute in preset time range
Hold identical multiple normalization message coalescings, generates merging message, the message that merges is to have unification with normalization message
The logout of attribute is normalized, the output module is specifically used for exporting the normalization message and merges message.
Specifically, it includes customized event ID that the merging module, which is specifically used at least one described normalization attribute, pass
Sensor type, sensor IP, source IP and destination IP,
The generation merging message that merges includes: the Time To Event in the first normalization message that will be merged
It is determined as merging the Time To Event in message, by the event end time in the last one the normalization message merged
It is determined as merging the event end time in message, the event frequency in all normalization message of merging is added to obtain
Sum be determined as merge message in event frequency.
Collector provided by the present invention can receive the system message that distinct device is sent in local area network, system is disappeared
Breath is matched according to preset processing rule, and the system message that the needs of successful match are further processed, collector is according to system
The attribute specification of one normalization message, the respective attributes in extraction system message, and part attribute is backfilled, it generates and the system
System message normalizes message correspondingly, and after exporting the normalization message, local area network can have by managing these
The normalization message of unified attribute, realizes the unified management to system message.Collector provided by the present invention also has character
Conversion and merge send functional module, the character conversion functionality will using kinds of characters coding mode system message into
Line discipline matching before is uniformly converted to identical character code mode, be convenient for further subsequent processing, the pooling function,
It sends after the system message that similar events trigger capable of being merged, while saving Internet resources, also facilitates subsequent
Monitoring management work.
Detailed description of the invention
For the clearer technical solution illustrated in the embodiment of the present invention, will make below to required in embodiment description
Attached drawing, which is done, simply to be introduced, it should be apparent that, drawings in the following description are some embodiments of the invention, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other accompanying drawings.
Fig. 1 is the flow diagram of system message processing method first embodiment provided by the invention;
Fig. 2 is the flow diagram of system message processing method second embodiment provided by the invention;
Fig. 3 is the structural schematic diagram of the collector provided by the invention applied to second embodiment.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawings and examples to this
Invention is described in further detail.Obviously, described embodiments are some of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
Every other embodiment, shall fall within the protection scope of the present invention.
In a local network, the equipment for needing to be managed, including interchanger, router, firewall, the equipment such as server,
System message can be sent, to better illustrate method of the invention, the equipment for sending system message is referred to as sensor,
And system message processing method provided by the invention, the equipment applied to being managed to these system messages, it is referred to as collecting
Device includes multiple sensors in one local area network, and as needed, and one or more collectors, a collector connection is arranged
Multiple sensors, collector is responsible for the system message of receiving sensor transmission, to system message rule match and normalized
After export.
Those skilled in the art receive it will be readily understood that according to the actual disposition situation of local area network or the demand of management
The normalization message of storage output, can be responsible for showing or be connected to other systems being managed by collector, can also received
One Acting Center is set again on storage, for the normalization message of collectors multiple in integrated management local area network output, is made
The management of system message more centralization, the present invention are no longer described in detail this setting.
Fig. 1 is the flow diagram of system message processing method first embodiment provided by the invention, system shown in FIG. 1
The process of message treatment method first embodiment includes:
Step S101, the system message that collector receiving sensor is sent.
Specifically, a collector connects multiple sensors, the system message that collector receives in a local area network
Have recorded all event informations for sending the sensor of this system message.
Step S102, collector by the system message and with prestore and the sensor one-to-one rule file
It is matched.
In the system message that sensor is sent, the event of some system messages record is centralized management and monitoring needs
, some system messages record event be then it is unwanted, collector first screens the system message of needs, is not required to
The system message wanted is abandoned, wherein abandoning system message includes passing certain after being screened according to the IP address of sensor
The system message of sensor all abandons, and after being matched according to certain rules, will not need to carry out subsequent analysis arrangement
System message abandoned.
In collector, the one-to-one rule file of each sensor being connected with collector is prestored, it is each described
Rule file includes at least one rule entries, and the rule entries are the correspondence between system message and corresponding processing rule
Relationship, that is, the system message that each sensor is sent out is screened according to the processing rule pre-set, useful
System message needs to carry out further normalized, and the system message that some administrators carry out configuration class is monitored in local area network
In may not be needed, then such system message needs to carry out discard processing.
Matched system message is normalized for step S103, collector, generates with the system message one by one
Corresponding normalization message.
Specifically, successful match is needed the system message being further processed by collector, carry out at further normalization
Reason generates the logout with unified normalization attribute according to the attribute specification of the unified normalization message of the whole network.
The normalization attribute includes the extraction attribute that collector directly extracts in the system message of successful match, and is received
The backfill attribute that storage is backfilled according to the system message of the successful match, wherein the extraction attribute includes: account number,
Source IP, source port, destination IP, destination port, protocol type, Time To Event, event end time, event frequency,
Event summary, the website of access, the DNS of access, shaping reserved property, character string type reserved property, the backfill attribute packet
It includes: normalization event level, Customer ID, customized event ID, customized event type, sensor ID, sensor IP, sensor
Mask, sensor type, Collector ID, collector IP, system message receiving time, original log.
In the above attribute, letter of the Customer ID for belonging to when being reported to different systems as needed for distinguishing event
Attribute is ceased, customized event type is the event type of the customized normalization message of collector, and customized event ID is to collect
The customized event id of device.
Normalizing event level is according to event type customized in the system message of successful match and preset normalizing
Change event level corresponding relationship, determines normalization event level, the preset normalization event level corresponding relationship, for matching
One-to-one relationship between customized event type in successful system message and normalization event level.
The processing method of system message provided by the present invention is right while system message is normalized
The system message of different company standards is followed, the unification of system message rank is also carried out, facilitates management, system provided by the invention
The unified format of message level is as follows:
| Rank | Title/English name | Color | Meaning | Sort out |
| 5 | Promptly (Emergency) | It is red | Extremely urgent mistake needs to immediately treat; | Critical alarm |
| 4 | It alarms (Alert) | It is orange | Some mistakes that need to be corrected immediately occur in system; | Significant alarm |
| 3 | Mistake (Error) | Yellow | Critical error needs to handle as early as possible; | Minor alarm |
| 2 | It alerts (Warning) | Blue | It need to pay close attention to but unessential prompt information; | Warning |
| 1 | It prompts (Information) | Green | General prompt information; | Prompt |
For example, Syslog, SNMP Trap message level and system message rank corresponding relationship after normalization are as follows:
| Normalized system message rank | Rank in the message of source |
| 5 | 0 |
| 4 | 1 |
| 3 | 3,2 |
| 2 | 5,4 |
| 1 | 7,6 |
| 1 | Remaining all situations |
For not using the customized system message of producer of unified message rank, according to specific message level situation,
Level map is carried out, 1~5 grade is converted into, is corresponded to referring to above-mentioned message level.
Step S104, collector export the normalization message.
Specifically, collector according to the corresponding rule output normalization message, such as exports sequentially in time or root
According to the event level classification output etc. of normalization message, no longer it is described in detail.
System message processing method provided by the present embodiment can disappear the system that distinct device in local area network is sent
Breath, is matched according to default rule, filters out the processing for needing the system message being further processed to be normalized, and is generated
Normalization message with unified normalization attribute, and normalized has been carried out to the rank of system message, it realizes not
Same equipment room, the Centralized Monitoring of the system message between different production firms and management.
Fig. 2 is the flow diagram of system message processing method second embodiment provided by the invention, sheet as shown in Figure 2
The system message processing method second embodiment that invention provides includes the following steps:
S201, the system message that receiving sensor is sent.
With the step S101 of first embodiment.
S202, the character code of integrated system message.
Specifically, the character code mode used is also different since system message is from different sensors, packet
UTF-8, GB2312, GBK etc. are included, system message is unified for a kind of character code mode so that subsequent rule file by the present invention
Matching and the process of processing of planningization more standardize.
S203, whether the rule file corresponding with the sensor for judging and prestoring matches, if so, skipping to step
S206, if not, meeting step S204.
Specifically, collector by the system message received and prestored in collector with send this system message sensor
Corresponding rule file is matched, and matching result includes successful match and it fails to match, as successful match carries out further
Normalized, such as it fails to match, that is,, can without corresponding rule entries in the rule file prestored in collector
It can be one not by rule file system message predetermined, it is also possible to the error code letter that a sensor is sent
Breath.
S204, whether the rule file corresponding with other sensors for judging and prestoring matches, if so, skipping to step
S206, if not, connecing step 205.
Specifically, when collector will prestore in system message and collector with the sensor that sends this system message it is right
The rule file answered is matched, and after it fails to match, collector is further corresponding with the other sensors prestored by system message
Rule file matched, and then improve system message successful match rate.
S205 is put into and mismatches system message record.
Specifically, being collected when as also unsuccessful such as system message rule file matching corresponding with the other sensors prestored
This system message is put by device to be mismatched in system message record, so as to subsequent perfect, the Huo Zheyong for carrying out respective rule file
In the hidden fault etc. of discovery sensor.
Generation normalization message is normalized in S206.
Specifically, collector is further returned system message when system message and rule file successful match
One change processing.
It is understood that the successful match is handled, including successful match, further progress normalized
Normalization message is generated, further includes successful match, this system message does not need to be further processed, and can abandon.
The generation of message is normalized with the step S103 of first embodiment, is no longer described in detail.
Preferably, when carrying out rule file matching to system message, according to the rank of event in system message, event type
With the particular content of event, different rule entries are carried out with the division of different stage, it is better to be carried out to rule file
Management.
For example, the present invention, which provides, uses class (classification), subclass (subclass), fami ly (characteristic) three
Event level attribute representative normalizes the three-level classification of event, and system message is matched step by step with rule entries, convenient into one
The monitoring and management of step.
Preferably, the present invention also provides the method that time format different in system message is normalized,
In system message, event format includes number format and string format, when wherein the time of number format includes: millisecond form
Between, form time second, the negative format time, the time of string format includes: date, month day year, in addition, also including number
Or the abbreviated form of string format needs during carrying out system message normalized to different time formats
It is normalized as a kind of unified time format.
S207 judges whether to meet merging condition.
Specifically, the present invention also provides the functions of merging normalization message after collector generates normalization message.Due to being
Message of uniting is triggered by different events, and similar events occur within the scope of certain time, causes identical normalization message frequent
It generates, if will lead to the waste of Internet resources in local area network without further merging treatment, is also unfavorable for point of problem
The needs of analysis and monitoring management.
It is understood that merging normalization message needs to set regular hour range, beyond in preset time range
The value that does not merge of normalization message, can by presetting regular hour range, will in this time frame in meet and close
And the normalization message of condition merges, the present invention also provides a kind of preferred method be to generate and return in collector
After one changes message and exported, the normalization message of transmission can be cached, in certain period of time, such as 120 seconds
Interior, newly generated normalization message can be compared with the normalization message sent first, such as meet certain merging item
Part then waits the generation of next identical normalization message and merges.
Combined condition provided by the invention is, including at least one normalization attribute, such as includes customized event type,
Sensor type, sensor IP, source IP and destination IP, when five normalization attributes are all the same, collector is by two
Normalization message merges.
S208, merging treatment, which generates, merges message.
Specifically, the Time To Event that merge first normalizes in message is determined as merging in message
Time To Event,
It is determined as the event end time in the last one the normalization message merged to merge the event in message
End time,
The sum that event frequency in all normalization message of merging is added is determined as merging in message
Event frequency.
Merge identical normalization message, greatly reduces the number for the normalization message that collector needs to export.
S209, output normalization message or merging message.
Specifically, collector is according to preset certain output rule output normalization message or merges message, after progress
Continuous processing and display, and will not be described here in detail.
The processing method of system message provided by the present embodiment, on the basis of first embodiment, it is further provided
The character code of integrated system message, and the function that normalization message is merged, so that the management of system message is more
Specification and perfect, improves network resource utilization, and facilitate subsequent further monitoring and management.
Fig. 3 is the structural schematic diagram of the collector provided by the invention applied to second embodiment, the present invention shown in Fig. 3
There is provided the collector applied to second embodiment include:
Receiving module 301, the system message sent for receiving sensor.
Unified modules 302 are encoded, there is unification for being converted to the system message with different character code modes
Character code mode system message.
Matching module 303, for by the system message and with prestore and the one-to-one rule text of the sensor
Part is matched, and the rule file includes at least one rule entries, and the rule entries are system message and corresponding place
Corresponding relationship between reason rule specifically for the extraction attribute directly extracted in the system message of successful match, and is collected
The backfill attribute that device is backfilled according to the system message of the successful match, the system message are sensor according to different
The customized logout message that system event generates, the extraction attribute include: account number, source IP, source port, destination IP,
Destination port, protocol type, Time To Event, event end time, event frequency, event summary, the website of access,
The DNS of access, shaping reserved property, character string type reserved property, the backfill attribute includes: normalization event level, visitor
Family ID, customized event ID, customized event type, sensor ID, sensor IP, sensor mask, sensor type are collected
Device ID, collector IP, system message receiving time, original log.Specifically for being made by oneself in the system message according to successful match
The event type and preset normalization event level corresponding relationship of justice determine normalization event level, the preset normalizing
Change event level corresponding relationship, be successful match system message in customized event type and normalization event level it
Between one-to-one relationship.It is corresponded with what is prestored with the sensor specifically for the system message received when collector
Rule file mismatch when, collector by the system message received rule file corresponding with the other sensors prestored into
Row matching.
Module 304 is normalized, for matched system message to be normalized, is generated and the system message one
One corresponding normalization message, the normalization message are the logout with unified normalization attribute.
Merging module 305, for that will have at least one normalization property content identical more in preset time range
A normalization message coalescing generates and merges message, and the merging message is to have unified normalization attribute with normalization message
Logout, it is described to merge that message is and normalization message has the record of unified normalization attribute.Specifically for described
At least one normalization attribute includes customized event type, sensor type, sensor IP, source IP and destination IP, the conjunction
And generating merging message includes: that the Time To Event in the first normalization message that will be merged is determined as merging message
In Time To Event, by merge the last one normalization message in event end time be determined as merge message
In event end time, the sum that the event frequency in all normalization message of merging is added is determined as merging
Event frequency in message.
Output module 306 is specifically used for exporting the normalization message and merges message.
Collector provided by the present embodiment, the system message that distinct device in local area network can be sent, according to default
Rule matched, and generate the normalization message with unified normalization attribute, the word of integrated system message be also provided
Symbol coding, and the function that normalization message is merged, between realizing distinct device, the system between different production firms disappears
The Centralized Monitoring of breath and management, so that the management of system message more specification and perfect, improves network resource utilization, and square
Just subsequent further monitoring and management.
In embodiment provided herein, it should be understood that disclosed method, apparatus and system can pass through
Other modes are realized.For example, apparatus embodiments described above are only schematical, the divisions of the functional module,
Only a kind of division of logic function, there may be another division manner in actual implementation, for example, multiple modules can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (14)
1. a kind of system message processing method, applied to include sensor and collector system message processing system in, it is described
One collector connects at least one described sensor, which comprises the following steps:
The system message that collector receiving sensor is sent,
Collector is matched by the system message and with what is prestored with the one-to-one rule file of the sensor, with sieve
The system message for needing to be normalized is selected, the rule file includes at least one rule entries, the rule item
Mesh is the corresponding relationship between system message and corresponding processing rule,
Matched system message is normalized collector, and generation normalizes correspondingly with the system message to disappear
Breath, the normalization message are the logout with unified normalization attribute,
Collector exports the normalization message.
2. system according to claim 1 message treatment method, which is characterized in that the normalization attribute specifically includes:
The extraction attribute and collector that collector directly extracts in the system message of successful match are according to the successful match
The backfill attribute that system message is backfilled, the system message are sensor according to the customized of different system event generations
Logout message,
The extraction attribute includes: account number, source IP, source port, destination IP, destination port, protocol type, Time To Event,
Event end time, event frequency, event summary, the website of access, the DNS of access, shaping reserved property, character string class
Type reserved property,
The backfill attribute includes: normalization event level, Customer ID, customized event ID, customized event type, sensor
ID, sensor IP, sensor mask, sensor type, Collector ID, collector IP, system message receiving time, original day
Will.
3. system message processing method according to claim 2, which is characterized in that the normalization event level, specifically
Include:
According to event type customized in the system message of successful match and preset normalization event level corresponding relationship, really
Surely event level is normalized, the preset normalization event level corresponding relationship is oneself in the system message of successful match
One-to-one relationship between the event type and normalization event level of definition.
4. system according to claim 1 message treatment method, which is characterized in that sent in collector receiving sensor
After system message, collector by the system message received with prestore with the sensor one-to-one rule file into
Before row matching, the method also includes:
Collector is converted to the system message with different character code modes
System message.
5. system according to claim 1 message treatment method, which is characterized in that the system received disappears in collector
It ceases after being matched with what is prestored with the one-to-one rule file of the sensor, the method also includes:
When the system message that collector receives and the rule file mismatch one-to-one with the sensor prestored, receive
Storage matches the system message received rule file corresponding with the other sensors prestored.
6. system according to claim 1 message treatment method, which is characterized in that in collector by the system of successful match
After message generation normalizes message correspondingly with the system message, the method also includes:
Collector will have at least one identical multiple normalization message of normalization property content to close in preset time range
And generate and merge message, the message that merges is the logout with normalization message with unified normalization attribute,
The collector exports the normalization message, specifically includes:
Collector exports the normalization message and merges message.
7. system message processing method according to claim 6, which is characterized in that the collector will have at least one
The identical multiple normalization message coalescings of content for normalizing attribute, which generate, merges message, specifically includes:
At least one described normalization attribute includes customized event ID, sensor type, sensor IP, source IP and destination IP,
The merging generates merging message
When the event generation for the Time To Event that merge first normalizes in message being determined as merging in message
Between,
The event that event end time in the last one the normalization message merged is determined as in merging message is terminated
Time,
The sum that event frequency in all normalization message of merging is added is determined as to merge the event in message
Frequency.
8. a kind of collector characterized by comprising
Receiving module, for receiving sensor send system message,
A matching module, for being carried out by the system message and with prestoring with the one-to-one rule file of the sensor
Match, to filter out the system message for needing to be normalized, the rule file includes at least one rule entries, described
Rule entries are the corresponding relationship between system message and corresponding processing rule,
Module is normalized, for matched system message to be normalized, generates and is corresponded with the system message
Normalization message, the normalization message is the file with unified normalization attribute,
Output module, for exporting the normalization message.
9. collector according to claim 8, it is characterised in that:
The matching module, specifically for the extraction attribute and collector root directly extracted in the system message of successful match
The backfill attribute backfilled according to the system message of the successful match, the system message are sensor according to different systems
The customized logout message that event generates,
The extraction attribute includes: that the extraction attribute includes: account number, source IP, source port, destination IP, destination port, protocol class
Type, Time To Event, event end time, event frequency, event summary, the website of access, the DNS of access, shaping
Reserved property, character string type reserved property,
The backfill attribute includes: normalization event level, Customer ID, customized event ID, customized event type, sensor
ID, sensor IP, sensor mask, sensor type, Collector ID, collector IP, system message receiving time, original day
Will.
10. collector according to claim 9, it is characterised in that:
The matching module, specifically for event type customized in the system message according to successful match and preset normalizing
Change event level corresponding relationship, determines normalization event level, the preset normalization event level corresponding relationship, for matching
One-to-one relationship between customized event type in successful system message and normalization event level.
11. collector according to claim 8, which is characterized in that further include:
Unified modules are encoded, for being converted to the system message with different character code modes with unified character volume
The system message of code mode.
12. collector according to claim 8, it is characterised in that:
The matching module is corresponded with what is prestored with the sensor specifically for the system message received when collector
Rule file mismatch when, collector by the system message received rule file corresponding with the other sensors prestored into
Row matching.
13. collector according to claim 8, which is characterized in that further include:
Merging module, for that will have at least one identical multiple normalization of normalization property content in preset time range
Message coalescing generates and merges message, and the message that merges is that there is the event of unified normalization attribute to remember with normalization message
Record,
The output module is specifically used for exporting the normalization message and merges message.
14. collector according to claim 13, it is characterised in that:
The merging module includes customized event ID specifically at least one described normalization attribute, and sensor type passes
Sensor IP, source IP and destination IP,
The generation merging message that merges includes: that the Time To Event in the first normalization message that will be merged determines
To merge the Time To Event in message, the event end time in the last one the normalization message merged is determined
To merge the event end time in message, the sum that the event frequency in all normalization message of merging is added
It is determined as merging the event frequency in message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511023137.XA CN105450459B (en) | 2015-12-30 | 2015-12-30 | A kind of system message processing method and collector |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511023137.XA CN105450459B (en) | 2015-12-30 | 2015-12-30 | A kind of system message processing method and collector |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105450459A CN105450459A (en) | 2016-03-30 |
| CN105450459B true CN105450459B (en) | 2019-06-07 |
Family
ID=55560264
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511023137.XA Active CN105450459B (en) | 2015-12-30 | 2015-12-30 | A kind of system message processing method and collector |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105450459B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107491460B (en) * | 2016-06-13 | 2021-01-22 | 阿里巴巴集团控股有限公司 | Data mapping method and device of adaptation system |
| CN106230890A (en) * | 2016-07-15 | 2016-12-14 | 中电长城网际系统应用有限公司 | A kind of message normalization processing method and system |
| CN110287279B (en) * | 2019-05-24 | 2021-08-13 | 国网冀北电力有限公司 | Method for converting unstructured log report into structured system report |
| CN113495978B (en) * | 2020-03-18 | 2024-01-02 | 中电长城网际系统应用有限公司 | Data retrieval method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7171689B2 (en) * | 2002-02-25 | 2007-01-30 | Symantec Corporation | System and method for tracking and filtering alerts in an enterprise and generating alert indications for analysis |
| CN101394267A (en) * | 2008-10-08 | 2009-03-25 | 北京启明星辰信息技术股份有限公司 | Security information management system and method based on general normalized labeling language |
| CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
| CN104753861A (en) * | 2013-12-27 | 2015-07-01 | 中国电信股份有限公司 | Security event handling method and device |
| CN104778189A (en) * | 2014-02-24 | 2015-07-15 | 贵州电网公司信息通信分公司 | XML (Extensible Markup Language)-based log management method and system |
-
2015
- 2015-12-30 CN CN201511023137.XA patent/CN105450459B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7171689B2 (en) * | 2002-02-25 | 2007-01-30 | Symantec Corporation | System and method for tracking and filtering alerts in an enterprise and generating alert indications for analysis |
| CN101394267A (en) * | 2008-10-08 | 2009-03-25 | 北京启明星辰信息技术股份有限公司 | Security information management system and method based on general normalized labeling language |
| CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
| CN104753861A (en) * | 2013-12-27 | 2015-07-01 | 中国电信股份有限公司 | Security event handling method and device |
| CN104778189A (en) * | 2014-02-24 | 2015-07-15 | 贵州电网公司信息通信分公司 | XML (Extensible Markup Language)-based log management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105450459A (en) | 2016-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105450459B (en) | A kind of system message processing method and collector | |
| WO2023065712A1 (en) | Distributed train control network intrusion detection method, system, and storage medium | |
| US7139938B2 (en) | System and method for providing common event format using alert index | |
| KR101327317B1 (en) | Apparatus and method for sap application traffic analysis and monitoring, and the information protection system thereof | |
| CN100479385C (en) | Integral maintaining method and system for multi-equipment | |
| CN103546343B (en) | The network traffics methods of exhibiting of network traffic analysis system and system | |
| CN105843878B (en) | A kind of IT system event criteria implementation method | |
| CN108712294A (en) | A method of network equipment monitoring alarm is realized based on Syslog knowledge bases | |
| CN103546312A (en) | Massive multi-source isomerism log correlation analyzing method | |
| CN104144071A (en) | System log processing method and platform | |
| CN101325520A (en) | Method for locating and analyzing fault of intelligent self-adapting network based on log | |
| CN107659453A (en) | The method that a large amount of TCP serve ports are monitored by zabbix | |
| CN106850318A (en) | The visualization of IMS signaling processes represents system, method and server | |
| CN107659443A (en) | The monitoring method and its system of a kind of real time business | |
| CN103414596A (en) | Method for recognizing and processing all manufacturer Traps based on simple network management protocol | |
| CN110798348B (en) | Fault warning method, server and system for power distribution communication network | |
| CN109088903A (en) | A kind of exception flow of network detection method based on streaming | |
| CN111274276A (en) | Operation auditing method and device, electronic equipment and computer-readable storage medium | |
| CN106209398A (en) | A kind of method and device obtaining service error information based on Management Information Model | |
| CN112383509A (en) | Internet of things equipment safety monitoring system and method based on data flow | |
| CN113409555A (en) | Real-time alarm linkage method and system based on Internet of things | |
| CN108156017A (en) | A kind of power transmission and transformation equipment state alarm management method | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN112398835A (en) | Network security early warning technical system based on network equipment log analysis | |
| CN110855602B (en) | Internet of things cloud platform event identification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |